How to enable IPsec on Linux instances

This guide covers how to connect to Zadara VPSAs over IPsec using Openswan (2.6.37, higher versions will work).

 

  • Install Openswan:
    • apt-get install openswan
    • yum install openswan.x86_64
  • Edit the /etc/ipsec.conf to have the iSCSI connection defined:

###################

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
   # Debug-logging controls: "none" for (almost) none, "all" for lots.
   # klipsdebug=none
   plutodebug="parsing control lifecycle dpd"
   # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
   protostack=netkey
   nat_traversal=no
   # virtual_private=
   oe=off
   # Enable this if you see "failed to find any available worker"
   # nhelpers=0
   uniqueids=yes

 

conn zadara-VPSA-iscsi
   type=transport
   auto=start
   authby=secret
   ike=aes128-sha1-modp1024
   phase2=esp
   phase2alg=aes128-sha1
   ikev2=never
   dpddelay=5
   dpdtimeout=5
   dpdaction=restart
   pfs=no
   salifetime=1h
   rekey=yes
   rekeymargin=9m
   keyingtries=%forever # Always try to connect to VPSA
   ikelifetime=3h
   left=<Server-IP>
   leftprotoport=tcp
   right=<VPSA-IP>
   rightprotoport=tcp/3260


For NFS over IPsec, add an additional section with a different name eg:

conn zadara-VPSA-NFS
   type=transport
   auto=start
   authby=secret
   ike=aes128-sha1-modp1024
   phase2=esp
   phase2alg=aes128-sha1
   ikev2=never
   dpddelay=5
   dpdtimeout=5
   dpdaction=restart
   pfs=no
   salifetime=1h
   rekey=yes
   rekeymargin=9m
   keyingtries=%forever # Always try to connect to VPSA
   ikelifetime=3h
   left=<Server-IP>
   leftprotoport=tcp
   right=<VPSA-IP>
   rightprotoport=tcp/2049

 

The file /etc/ipsec.secrets should contain the shared secret.  This can be obtained by viewing the properties of the server within the VPSA:

 

###################

<server-IP> <VPSA-IP>: PSK "<INSERT PSK>"

###################

 

Start or restart openSwan:

 

/etc/init.d/ipsec restart

 

If you want only to re-read secrets:
ipsec whack --rereadsecrets

Diagnostics:
ipsec whack --status

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.